| Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp. |
Oper block
In oper blocks you define all the IRC Operators accounts. Once defined you use the /OPER command on IRC to become IRCOp.
Recommended reading:
- IRCOp guide for any new IRCOps
- Special users for defining users with extra privileges that are NOT IRCOps
Syntax
oper <name> {
/* Required items: */
mask <hostmask>;
class <class-name>;
operclass <operclass-name>;
/* Optional items to further limit who can /OPER */
password <password>;
auto-login <yes|no>;
require-modes <modes>
maxlogins <num>;
/* Optional items to define what will be set upon successful /OPER */
vhost <new virtual hostname>;
swhois <whois info>;
modes <modes>;
snomask <snomask>;
server-notice-colors yes|no;
server-notice-show-event yes|no;
};
Required items
name
The name in the oper name { block defines which name to use in the OPER command on IRC (/OPER name password). This name is case sensitive!
Most people use their nick name here. You can use latin characters (A-Z a-z), numbers and _-[]. Do not use special characters like ö (as in Björn) or Arabic/Greek/etc. Such characters may cause you problems with /OPER'ing due to character set differences.
password
The password item defines the password to use. Passwords are case sensitive. Instead of using a plaintext password here, we highly recommend you to use Hashed passwords or SSL certificate fingerprints, see Authentication types.
In UnrealIRCd 6.0.4 and later the password item is no longer required. If you don't put a password then be sure to use a good mask (see next)!
mask
The mask defines from which host/IP this oper block may be used, this can be used for increased security. Set this to mask *; if you want to permit any IP.
You may also use multiple masks, in which case the syntax becomes like: mask { 192.168.0.0/16; *.example.net; };.
See Mask item for more options. For example, instead of an IP address or host, you can require a certain certificate fingerprint: mask { certfp "00112233etc."; } or a Services account: mask { account TrustedUser; }.
class
After a successful /OPER attempt the user will be put in the class you specify here. It's recommended to use a special class you created for opers (eg: class opers;) that typically has higher flood limits than ordinary users.
operclass
This defines which Operclass block to use. The operclass block configures which privileges this IRCOp will have (which IRCOp commands you may use, etc..).
See the default list of operclasses from which you can choose. The highest are netadmin and netadmin-with-override.
Optional items
auto-login
NOTE: Requires UnrealIRCd 6.0.4 or later
If auto-login is set to yes then the user is automatically logged in if they match the mask. In this case there can be no password item.
This is generally only used for logins with certfp, see the automatic oper example at the end of this article.
maxlogins
This allows you to restrict the number of concurrent oper logins from this host, for example if you set it to 1 then only 1 person can be oper'ed via this block at any time.
vhost
This hostname (virtual host) will be set after you successfully oper up.
swhois
Allows you to add one or more extra lines to the /WHOIS information for this oper. For example:
swhois "a Network Administrator";
modes
Set these user modes after successful oper up.
snomask
By default an IRCOp gets the Snomasks from set::snomask-on-oper. You can use this oper::snomask to specify a different set of snomasks. See Snomasks for a full list.
snomask "+bBcdfk";
auto-join
By default an IRCOp will be joined to the channels in set::oper-auto-join. You can override this setting by setting an oper::auto-join in an individual oper block. If you use this, don't forget to use double quotes and optionally specify multiple channels with a comma. Eg: auto-join "#opers,#staff";
require-modes
Here you can put user modes that the user must have in order to use the OPER command. For example, you can put z here to require opers to use a SSL/TLS connection.
This setting is not used much anymore, as requiring IRCOps to be on TLS is already done via set::plaintext-policy::oper nowadays (which is even on by default).
server-notice-colors
Note: this setting only exists in UnrealIRCd 6 and later
Enable or disable colors in server notices (to snomasks). Valid options are yes and no. The default for all IRCOps is configured via set::server-notice-colors.
server-notice-show-event
Note: this setting only exists in UnrealIRCd 6.0.2 and later
Enable or disable showing of the subsystem.event (eg: connect.LOCAL_CLIENT_CONNECT) in server notices to snomasks. Valid options are yes and no. The default for all IRCOps is configured via set::server-notice-show-event.
Examples
Simple example
oper bobsmith {
class opers;
mask { smithco.com; *.somedialupisp.com; };
password "f00";
operclass netadmin;
swhois "a Network Administrator";
};
Automatic oper
NOTE: This requires UnrealIRCd 6.0.4 or later
This uses the certificate fingerprint 00112233etc.. If the user connects with SSL/TLS with that client certificate fingerprint they become IRCOp automatically, they don't have to type the OPER command.
oper bobsmith {
auto-login yes;
mask { certfp "00112233etc."; }
class opers;
operclass netadmin;
swhois "a Network Administrator";
};
Using security-groups
NOTE: This requires UnrealIRCd 6.0.4 or later
This uses the certificate fingerprint 00112233etc.. We create a security-group first, and then use that security-group in both the oper { } block and the except ban { } block.
security-group bobsmit {
certfp "00112233etc.";
}
oper bobsmith {
auto-login yes;
mask { security-group bobsmith; }
class opers;
operclass netadmin;
swhois "a Network Administrator";
};
/* Be nice and exempt the oper from server bans too */
except ban {
mask { security-group Syzop; }
type all;
}
Walking through bans, joining invite only channels
If IRCOps want to bypass channel restrictions, like joining a +i channel or walking through bans, op'ing yourself in a channel, etc. then see the OperOverride article for all information on this.